When your car breaks down, there are several avenues you can take to get it repaired: You can bring it to the dealer, you can go to an independent mechanic or you can repair it yourself.
With modern cars, the latter choice is getting harder for all but the most basic maintenance. So, if we leave out the do-it-yourself option, the choices usually come down to trust and level of knowledge.
Some people will choose a car dealer for repairs because they believe the dealer will have the right knowledge, systems and parts to fix the car correctly. So, for example, a Ford dealer would fix Ford models best, and a Toyota dealer would fix Toyota models best.
But many people believe this "insider" knowledge is overrated and choose their mechanic based on competence, referrals and trust built over time.
Im in this second group. I go to a mechanic who has gained my trust over the years, and I will always take my cars to him for any work that they need.
While some people may choose to go the dealer route, no one questions the desire to go to an independent mechanic. Everyone understands that its a level playing field—that a Nissan mechanic is as likely to mess up a repair of a Nissan vehicle as an independent mechanic is. Conversely, an independent mechanic is as likely to do quality work on a Nissan vehicle as a Nissan person is.
But when it comes to fixing holes and problems in software, these distinctions arent as clear-cut. Many people assume that, for example, only Microsoft can fix Microsoft software problems and that anyone who goes to a third party for fixes is asking for trouble.
Me? Im not so sure that there is much of a difference.
Recently, a group of independent security researchers called Zeroday Emergency Response Team released its own patch for a serious flaw in Microsoft software. ZERT recognized (correctly, in my opinion) that malware authors are taking advantage of Microsofts Patch Tuesday calendar by releasing new exploits on the Wednesday after patches come out.
ZERT is made up of well-known and well-respected security researchers, and theres no reason to think that its recently released patch wont work well. Still, many in the IT community are leery of it, worrying that it might not fully fix the problem or that it might cause problems of its own.
When I hear things like this, my first thought is, "Yeah, like Microsoft has never released a patch that didnt work or that caused problems of its own."
To me, its just like the car mechanic scenario: If this ZERT patch works well and if the same is true for subsequent patches ZERT releases, then users should have no fear of using the groups patches in conjunction with (or even in place of) official Microsoft patches.
Turning to third-party security professionals for patches and workarounds isnt even that radical of an idea. Large businesses have been employing security companies and consultants for years to deploy fixes and patches for internal systems, rather than waiting for vendor fixes.
But, just as automakers would rather have customers get their vehicles repaired at dealerships, software vendors would rather have users deploy vendor-issued security tools and fixes. And this is leading to another, less welcome similarity between auto repairs and software fixes.
For years now, independent auto mechanics have been waging legal and public relations warfare against automakers that have been trying every method they can to shut out these independent folks—from limiting access to necessary parts to locking out access to vehicle computer systems and diagnostics.
In a similar vein, security companies are currently locking horns with Microsoft over the companys plans to prevent third-party security companies from being able to access the Vista security panel, essentially shutting out the security companies from what will be Vista users main view into system security.
No matter what your philosophy, you should make it clear that software security and fixes should be open to competition. Because once competition goes down the drain, quality is usually quick to follow. And a poor-quality security fix is no fix at all.
Labs Director Jim Rapoza can be reached at firstname.lastname@example.org.